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AND THEY SAID TO THE 
TITANS: « WATCH OUT 
OLYMPIANS IN THE 
HOUSE! » 

CSEC - Advanced Network Tradecraft 
SD Conference June 2012 
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OLYMPIA & THE CASE STUDY 




OLYMPIA 



CSEC’s Network Knowledge Engine 

Various data sources 
Chained enrichments 
Automated analysis 



Brazilian Ministry of Mines and Energy (MME) 

New target to develop 
Limited access/target knowledge 



QUESTIONS 



o How can I use the information available in 
SIGINT data sources to learn about the target? 



o What can I find that would help me inform access 
development efforts? 

o Can I automate the analytical process and/or re- 
use analytics designed for other purposes? 



OLYMPIA AT A GLANCE 
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OLYMPIA AT A GLANCE 
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OLYMPIA - AUTOMATION 
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Numerous enrichment and data manipulation nodes 

Drag and drop each node 
Create links between nodes 
Hit the Play button 
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ANALYSIS - CASE STUDY 



What we know about the target: 

- Domain: (gimme. gov.br 

- 9 DNR selectors 

- Very little collection 



ANALYSIS - DETERMINE TARGET’S 
IPs AND ISPs 
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ANALYSIS - DETERMINE TARGET’S 
IPS AND ISPs 
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ANALYSIS - DISCOVER TARGET’S 
PROXY 
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REMOTE PORT contains 443 











ANALYSIS - DISCOVER TARGET’S 
PROXY 














ANALYSIS - DETERMINE IPs MY 
TARGET COMMUNICATES WITH 
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ANALYSIS - DETERMINE IPs MY 
TARGET COMMUNICATES WITH 
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Hostname starting domain 
IP starting domain 
IP in contact with starting 
domain 

Port used by starting domain 
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Owner ot IP contact 
Carrier of IP contact 
ASN of IP contact 
Country of IP contact 
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ANALYSIS - IDENTIFY POTENTIAL 
MAN ON THE SIDE OPERATION 
AGAINST MY TARGET 
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ANALYSIS - IDENTIFY POTENTIAL 
MAN ON THE SIDE OPERATION 
AGAINST MY TARGET 
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ANALYSIS - DISCOVER CONTACTS OF 
MY TARGET AND COLLECTION SITES I 
SEE MY TARGET ON 
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SUMMARY 



Based on the information collected, I am better 
positioned to analyse my target’s telecoms 
environment. 









MOVING FORWARD 



o I have identified MX servers which have been 
targeted to passive collection by the Intel 
analysts, who are assessing the value, 
provenance, etc. of the traffic generated by the 
mail servers. 

o I am working with TAO to further examine the 
possibility for a Man on the Side operation. 

o Based on the network information gathered, the 
NAC has started a BPoA analysis on the MME. 



